Exynos Modems
Lookout Coverage and Recommendation for Admins
Lookout provides multilayered protection for devices that are exploitable through multiple vectors. We strongly suggest users keep their devices on auto update for security fixes as they become available. Lookout will detect if an attacker is successfully able to compromise the device at the OS level. Lookout admins should configure policies to the appropriate risk/response level. They can then choose whether to alert the user that the device is out of compliance or block access to enterprise resources.
Overview
Google Project Zero listed 18 vulnerabilities in Samsung Exynos modems produced by Samsung Semiconductor. The four most severe vulnerabilities are CVE-2023-24033, CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498, which allow for remote exploitation of the baseband from the internet, thereby permitting attackers to compromise the phone without any user interaction. It only requires the attacker to know the victim's phone number. The other 14 vulnerabilities are not as severe as they either need a malicious mobile network operator or local access to the device. Affected device models:
- Devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12 and A04 series;
- Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series;
- The Pixel 6 and Pixel 7 series of devices from Google
While the affected Pixel devices have received fixes for all four CVEs mentioned above in their March ASPL update, others have not yet released a patch. In the case of a compromised device, Lookout will be able to detect the compromise and alert both the user and the admin Users with affected devices, if allowed by the carrier, can also protect themselves by turning off WiFi calling and voice over LTE in their device settings.
Lookout Analysis
While there has only been a limited amount of information published regarding these vulnerabilities, we know that CVE-2023-24033, CVE-2023-26496, CVE-2023-26497 and CVE-2023-26498 are capable of remote code execution and should be considered highly severe. An attacker would likely use these vulnerabilities as an entry point to a device and then pivot from the baseband to compromise the operating system running on the application processor where they would have access to user data.
Authors
Lookout
Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.
